(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Prosecutors say they have unearthed forensic evidence that shows how a former computer security official for a state lottery association let him rig drawings worth millions of dollars across five states using unauthorized code that tampered with a random number generator used to pick winning tickets.

Eddie Raymond Tipton was charged last April and eventually convicted. Prosecutors said the man used his position as information security director of the Multi-State Lottery Association to access a room that housed the random number generator. But until recently, they weren't able to prove exactly how Tipton went about modifying the code so it produced predictable outputs that could be used to pick winning tickets.

According to an article published by the Associated Press, here's how it worked:

Read 2 remaining paragraphs | Comments


(credit: TJJSvdM)

Some Tuesday morning listeners of KIFT, a Top 40 radio station located in Breckenridge, Colorado, were treated to a radically different programming menu than they were used to. Instead of the normal fare from Taylor Swift, The Chainsmokers, or other pop stars, a hack by an unknown party caused one of the station's signals to broadcast a sexually explicit podcast related to the erotic attraction to furry characters. The unauthorized broadcast lasted for about 90 minutes.

KIFT wasn't the only station to be hit by the hack. On the same day, Livingston, Texas-based country music station KXAX also broadcast raunchy furry-themed audio. And according to an article posted Wednesday by radio industry news site RadioInsight.com, the unauthorized broadcasts from a hobbyist group called FurCast were also forced on an unnamed station in Denver and an unidentified national syndicator.

"All in all the FurCast aired for an hour, possibly two," Jason Mclelland, owner and general manager of the KXAX Radio Group, wrote in an e-mail. "During that time they talked about sex with two guys and a girl in explicit details and rambled on with vulgar language not really having much of a point to the podcast. I'm assuming there was no real reason for this hack."

Read 6 remaining paragraphs | Comments


Nobody may be wording it a bit strong. But adoption of these security features is certainly not taking off. If you can think of any features I forgot, then please comment:


That is probably my favorite issue. DNSSEC fixes on of the most important protocols. Without it, spoofing is always possible, and in some cases not even terribly hard. I think there are a number of reasons it is not implemented:

  • If you implement it, there is a good chance that you make your domain non-reachable if you mess up.
  • Implementation is far from straight forward. In particular depositing the key signing keys with your parent zones could be easier.
  • There are few public examples one could point to recently, showing how the failure to provide DNSSEC led to a breach.

So in short: high risk low gain. Insider tip: Some registrars like make it dead simple to enable DNSSEC for zones hosted with them.

HTTPS Key Pinning

Unlike DNSSEC, key pinning is a somewhat new-ish feature, and may not even be supported by all browsers. But while I think you would be hard pressed to find a recent breach that was caused by a site supporting SSLv3 (and we all turned that off. or?), there are multiple examples where certificate authorities issued keys to the wrong party. If anything, our statistics about revoked certs sort of tell the story. But surveys find that less then 1% of sites implement key pinning. I think the issue is similar like with DNSSEC: if you mess up, you take your site down, but there is at least a low perceived risk of actually becoming a victim of a fraudulent certificate. Also, while pretty much any audit tool flags SSLv3 as a big risk, key pinning isnt considered much of a risk at this point.

first-party-only Cookie Attribute

This cookie attribute is supposed to prevent cookies from being sent if javascript is used to send a request, and the javascript wasnt loaded from the site it sends the request to. This can cause numerous issues with cross site request forging, but also helps with the BREACH attack, in particular in its newer implementations. For this one you got a decent excuse: Nobody supports it. Server side configurations do not allow you to enable this feature, and the only client that will support it right now is the yet to be released next version of Google Chrome. Also: the standard is still in draft from and hasnt been approved as an RFC yet


Outbound Firewall Rules

Ok, there are people that implement them, but I still see a lot of networks that dont. Most see a firewall still as a device that blocks inbound connections. Firewalls do that just fine, but the security improvement of inbound filtering is marginal if you only block ports that your server isnt listening on anyway. On the other hand, preventing a server from downloading a backdoor, or connecting to a command and control channel, can be huge. In reality, setting up good outbound filtering can be difficult. Web servers may need to connect to cloudbased webservices, so IPs will change. Anti-Malware tool updates are also often hosten on CDNs, making it difficult to sensibly control them.

Monitoring DNS Logs

Most people watch firewall logs very carefully. Unless you look just at your outbound logs, there is probably little interesting stuff that you will find in your firewall logs. Is it really important for you to know that a kid in China just ran nmap against your systems? On the other hand, DNS logs are full of interesting and actionable information, in particular if you are looking at your recursive name servers. You will find infected systems resolving CC server host names, covert channels and all kinds of good stuff.

Digitally Signed E-Mail (just added this one later...)

A user clicking on a link in an e-mail or opening and attachment is probably how 80% or more of recent breach reports start. But still, I see hardly anybody digitally signing e-mail. Sure not an absolute protection, but wouldnt it help if the mail server stripped attachements from e-mails not signed?

Anything else? I considered using an IDS properly, not reusing passwords, as other topics to talk about.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 3545-1] cgit security update
[SECURITY] [DSA 3544-1] python-django security update
[security bulletin] HPSBGN03570 rev.1 - HPE Universal CMDB, Remote Information Disclosure, URL Redirection

Softpedia News

API Server Security Leaves a Lot to Be Desired
Softpedia News
Data shows that only 30 percent of APIs are planned out without input from the security team, 27 percent go through the development phase without contribution from infosec professionals, and 21 percent of all APIs reach production environments without ...

and more »

MedStar's Good Samaritan Hospital in Baltimore, one of 10 affected by a ransomware attack taking out MedStar's servers. (credit: MedStar)

MedStar, the health network of 10 Maryland hospitals struck by a ransomware attack last week, has now reportedly brought all its systems back online without paying attackers. But a MedStar spokesperson denied reports that the attack was made possible because the health provider's IT department failed to make fixes to systems that had been issued years ago. Ars will publish an in-depth analysis of the techniques used by the Samsam ransomware attackers this Friday.

Tami Abdollah of the Associated Press reported Tuesday that an anonymous source "familiar with the investigation" of the cyberattack claimed that the flaws that allowed attackers to compromise a JBoss Web application server and attack the network with Samsam crypto-ransomware had been highlighted in security warnings from JBoss maintainer Red Hat, the US government and others in February 2007, March 2010, and again this month.

MedStar denies that the earlier warnings—including one issued as a security advisory by Red Hat in April 2010—had anything to do with the attack, according to the findings of a response team from Symantec. "News reports circulating about the malware attack on MedStar Health’s IT system are incorrect," a MedStar spokesperson said in a statement. "Our partner Symantec, a global leader in cybersecurity, has been on the ground from the start of the situation and has been conducting a thorough forensic analysis, as they have done for many other leading companies around the world. In reference to the attack at MedStar, Symantec said, 'The 2007 and 2010 fixes referenced in the article were not contributing factors in this event.'"

Read 3 remaining paragraphs | Comments


LockPath Achieves ISO 27001 Certification
Marketwired (press release)
OVERLAND PARK, KS--(Marketwired - April 07, 2016) - LockPath, a leading provider of governance, risk management and compliance (GRC) solutions, has achieved the ISO 27001 certification, an internationally recognized information security standard ...

and more »
Perli v2.6 iOS - Filter Bypass & Persistent Vulnerability
Eight Webcom CMS (2016 Q2) - SQL Injection Vulnerability
Techsoft WS CMS (2016 Q2) - SQL Injection Web Vulnerability
Quicksilver HQ VoHo Concept4E CMS v1.0 - Multiple SQL Injection Web Vulnerabilities
Virtual Freer v1.58 - Client Side Cross Site Scripting Vulnerability

SANS to Provide Online Access to New ICS Security Training
PR Newswire (press release)
BETHESDA, Md., April 6, 2016 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced its ICS515: ICS Active Defense and Incident Response is now available OnDemand. This popular course ...

and more »

Colombo security confce begins with eyes on BB heist
Prothom Alo (English)
An initiative of the Indian Infosec Consortium, Ground Zero Summit is the largest collaborative platform in Asia for cyber security experts and researchers to address emerging cyber security challenges and demonstrate cutting-edge technologies. It was ...

and more »
Internet Storm Center Infocon Status